Hacker gets 30 months for extortion plot on Marriott

Hungarian hacker demanded a $150K job, free hotel room and the right to work whenever he wanted

A Hungarian hacker who attempted to extort money from Marriott International by stealing confidential data from its computers and threatening to expose it was sentenced to 30 months in prison.

Attila Nemeth, 26, will also serve three years of supervised release following his prison term, federal prosecutors said in a statement Friday.

Nemeth had previously pleaded guilty to charges of transmitting malicious code and attempted extortion, in U.S. District Court in Maryland.

According to court documents, Nemeth informed Marriott officials in November 2010 that he had gained access to the company's computers and had stolen proprietary information from its systems.

As proof, he emailed Marriott eight documents, seven of which were later confirmed to be proprietary company information. The stolen data included sensitive financial information.

An investigation by Marriott showed that Nemeth had planted two remotely controlled Trojans on the company's systems that allowed him access to other systems on the network. Nemeth gained initial access to the systems by getting a handful of Marriott employees to click on infected email attachments that he had sent to them.

Nemeth threatened to release the data he had stolen to Marriott's rivals or to its employees, or post it publicly if the company did not give him a job. His demands included a job based in Europe paying at least $150,000 annually, a hotel room in any hotel of his choice, free flights to wherever he wanted and the right to work whenever he felt like it.

In exchange, Nemeth said he would destroy the stolen data in two years.

"You fire your incompetent IT staff and hire me as an outside contractor to take care of your IT network security ," Nemeth write in an email. "After my new job works out for a couple of years all the docs I collected from your network going to wanish (sic)," he wrote.

A U.S. Secret Service agent, posturing as "Phillip Bender," a Marriott IT executive, established contact with Nemeth and engaged him in a discussion about a possible job in the U.S. Nemeth agreed to come to the U.S. for an employment interview with Marriott.

The agent, masquerading as the Marriott executive, interviewed the hacker. Nemeth, believing he was speaking with a Marriott executive, disclosed details of how he had gained access to the company's systems, and the location of the servers where the stolen data was stored.

The loss to Marriott as a result of Nemeth's intrusion was about $1 million in salaries, consultant expenses and other costs.